blockmachine 0.1.0__tar.gz

blockmachine-0.1.0/PKG-INFO

@@ -0,0 +1,15 @@
+Metadata-Version: 2.4
+Name: blockmachine
+Version: 0.1.0
+Summary: BlockMachine CLI - Miner operator interface
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/taostat/blockmachine
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Requires-Dist: typer[all]>=0.9.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: PyJWT>=2.9.0
+Requires-Dist: cryptography>=44.0.0

blockmachine-0.1.0/__init__.py

@@ -0,0 +1 @@
+"""BlockMachine CLI - Miner operator interface"""

blockmachine-0.1.0/blockmachine.egg-info/PKG-INFO

@@ -0,0 +1,15 @@
+Metadata-Version: 2.4
+Name: blockmachine
+Version: 0.1.0
+Summary: BlockMachine CLI - Miner operator interface
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/taostat/blockmachine
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Requires-Dist: typer[all]>=0.9.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: PyJWT>=2.9.0
+Requires-Dist: cryptography>=44.0.0

blockmachine-0.1.0/blockmachine.egg-info/SOURCES.txt

@@ -0,0 +1,22 @@
+__init__.py
+client.py
+config.py
+main.py
+pyproject.toml
+settings.py
+utils.py
+./__init__.py
+./client.py
+./config.py
+./main.py
+./settings.py
+./utils.py
+blockmachine.egg-info/PKG-INFO
+blockmachine.egg-info/SOURCES.txt
+blockmachine.egg-info/dependency_links.txt
+blockmachine.egg-info/entry_points.txt
+blockmachine.egg-info/requires.txt
+blockmachine.egg-info/top_level.txt
+commands/__init__.py
+commands/auth.py
+commands/miner.py

blockmachine-0.1.0/blockmachine.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

blockmachine-0.1.0/blockmachine.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+blockmachine = cli.main:main
+bm = cli.main:main

blockmachine-0.1.0/blockmachine.egg-info/requires.txt

@@ -0,0 +1,5 @@
+typer[all]>=0.9.0
+rich>=13.7.0
+httpx>=0.27.0
+PyJWT>=2.9.0
+cryptography>=44.0.0

blockmachine-0.1.0/blockmachine.egg-info/top_level.txt

@@ -0,0 +1 @@
+cli

blockmachine-0.1.0/client.py

@@ -0,0 +1,120 @@
+"""HTTP client with auto-refresh for Registry API"""
+
+import logging
+from typing import Optional
+
+import httpx
+
+from cli.config import (
+    CLIConfig,
+    clear_token,
+    load_config,
+    save_config,
+    validate_token,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class RegistryClient:
+    """HTTP client for Registry API with auto-refresh on 401/403"""
+
+    def __init__(self, config: Optional[CLIConfig] = None):
+        self.config = config or load_config()
+        self._client = httpx.Client(timeout=30.0)
+
+    def _get_headers(self) -> dict[str, str]:
+        """Get request headers including auth token if available"""
+        headers = {"Content-Type": "application/json"}
+        if self.config.access_token:
+            headers["Authorization"] = f"Bearer {self.config.access_token}"
+        return headers
+
+    def _refresh_token(self) -> bool:
+        """Refresh the access token via /v1/oauth/refresh."""
+        if not self.config.refresh_token:
+            logger.warning("No refresh token available")
+            clear_token(self.config)
+            return False
+
+        try:
+            from datetime import datetime, timedelta, timezone
+
+            response = self._client.post(
+                f"{self.config.auth_url}/v1/oauth/refresh",
+                json={
+                    "grant_type": "refresh_token",
+                    "refresh_token": self.config.refresh_token,
+                    "client_id": self.config.client_id,
+                },
+            )
+            response.raise_for_status()
+            token_data = response.json()
+
+            access_token = token_data["access_token"]
+            claims = validate_token(access_token)
+            if claims is None:
+                logger.warning("Refreshed token failed validation")
+                clear_token(self.config)
+                return False
+
+            token_expires_in = token_data.get("expires_in", 3600)
+            expires_at = datetime.now(timezone.utc) + timedelta(
+                seconds=token_expires_in
+            )
+
+            self.config.access_token = access_token
+            if "refresh_token" in token_data:
+                self.config.refresh_token = token_data["refresh_token"]
+            self.config.token_expires_at = expires_at.isoformat()
+            save_config(self.config)
+
+            logger.info("Token refreshed successfully")
+            return True
+
+        except Exception as e:
+            logger.warning("Token refresh failed: %s", e)
+            clear_token(self.config)
+            return False
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        json: Optional[dict] = None,
+        retry_auth: bool = True,
+    ) -> httpx.Response:
+        """Make an authenticated request with auto-refresh on 401."""
+        url = f"{self.config.api_url}{path}"
+        headers = self._get_headers()
+
+        response = self._client.request(method, url, json=json, headers=headers)
+
+        if response.status_code in (401, 403) and retry_auth:
+            logger.info("Token expired, attempting refresh...")
+            if self._refresh_token():
+                headers = self._get_headers()
+                response = self._client.request(method, url, json=json, headers=headers)
+
+        return response
+
+    def get(self, path: str) -> httpx.Response:
+        return self._request("GET", path)
+
+    def post(self, path: str, json: Optional[dict] = None) -> httpx.Response:
+        return self._request("POST", path, json=json)
+
+    def patch(self, path: str, json: Optional[dict] = None) -> httpx.Response:
+        return self._request("PATCH", path, json=json)
+
+    def delete(self, path: str) -> httpx.Response:
+        return self._request("DELETE", path)
+
+    def close(self) -> None:
+        self._client.close()
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *args):
+        self.close()

blockmachine-0.1.0/commands/__init__.py

@@ -0,0 +1 @@
+"""CLI command modules"""

blockmachine-0.1.0/commands/auth.py

@@ -0,0 +1,220 @@
+"""Authentication helpers for OAuth device flow"""
+
+import time
+import webbrowser
+
+import httpx
+import typer
+from rich.console import Console
+from rich.live import Live
+from rich.spinner import Spinner
+
+from cli import settings
+from cli.config import CLIConfig, load_config, save_config, validate_token
+
+console = Console()
+
+
+def device_login(
+    scopes: list[str],
+    client_id: str = settings.CLIENT_ID,
+    auth_url: str = settings.AUTH_URL,
+    api_url: str | None = None,
+    no_browser: bool = False,
+) -> None:
+    """Run the OAuth device code flow with the given scopes."""
+    config = load_config()
+    config.client_id = client_id
+    config.auth_url = auth_url
+    if api_url:
+        config.api_url = api_url
+
+    try:
+        with httpx.Client(timeout=30.0) as client:
+            response = client.post(
+                f"{auth_url}/v1/device/code",
+                json={"client_id": client_id, "scopes": scopes},
+            )
+            response.raise_for_status()
+            device_data = response.json()
+
+            device_code = device_data["device_code"]
+            user_code = device_data["user_code"]
+            verification_uri = device_data["verification_uri"]
+            interval = device_data.get("interval", 5)
+            expires_in = device_data.get("expires_in", 900)
+
+            console.print()
+            console.print("[bold]To authenticate, visit:[/bold]")
+            console.print(f"  [cyan]{verification_uri}[/cyan]")
+            console.print()
+            console.print(f"[bold]Enter code:[/bold] [yellow]{user_code}[/yellow]")
+            console.print()
+
+            if not no_browser:
+                try:
+                    webbrowser.open(verification_uri)
+                    console.print("[dim]Browser opened automatically.[/dim]")
+                except Exception:
+                    console.print(
+                        "[dim]Could not open browser. Please visit the URL above.[/dim]"
+                    )
+
+            _poll_for_token(
+                client,
+                config,
+                auth_url,
+                client_id,
+                device_code,
+                interval,
+                expires_in,
+            )
+
+    except httpx.HTTPStatusError as e:
+        console.print(
+            f"[red]API error:[/red] {e.response.status_code} - {e.response.text}"
+        )
+        raise typer.Exit(1)
+    except typer.Exit:
+        raise
+    except Exception as e:
+        console.print(f"[red]Error:[/red] {e}")
+        raise typer.Exit(1)
+
+
+def _poll_for_token(
+    client: httpx.Client,
+    config: CLIConfig,
+    auth_url: str,
+    client_id: str,
+    device_code: str,
+    interval: int,
+    expires_in: int,
+) -> None:
+    """Poll the token endpoint until authorization completes."""
+    deadline = time.time() + expires_in
+    poll_interval = interval
+
+    with Live(
+        Spinner("dots", text="Waiting for browser authorization..."),
+        console=console,
+        transient=True,
+    ):
+        while time.time() < deadline:
+            time.sleep(poll_interval)
+
+            token_response = client.post(
+                f"{auth_url}/v1/device/token",
+                json={
+                    "client_id": client_id,
+                    "device_code": device_code,
+                    "grant_type": ("urn:ietf:params:oauth:grant-type:device_code"),
+                },
+            )
+
+            if token_response.status_code == 200:
+                _save_token_response(config, token_response.json())
+                return
+
+            error = _extract_error(token_response)
+            if error == "authorization_pending":
+                continue
+            if error == "slow_down":
+                poll_interval += 5
+                continue
+            if error == "expired_token":
+                console.print("\n[red]Login timed out.[/red] Please try again.")
+                raise typer.Exit(1)
+            if error == "access_denied":
+                console.print("\n[red]Login was denied.[/red]")
+                raise typer.Exit(1)
+
+            console.print(f"\n[red]Error:[/red] {error}")
+            raise typer.Exit(1)
+
+    console.print("\n[red]Login timed out.[/red] Please try again.")
+    raise typer.Exit(1)
+
+
+def _save_token_response(config: CLIConfig, token_data: dict) -> None:
+    """Validate and persist a token response."""
+    from datetime import datetime, timedelta, timezone
+
+    access_token = token_data["access_token"]
+
+    claims = validate_token(access_token)
+    if claims is None:
+        console.print(
+            "\n[red]Token validation failed.[/red]"
+            " The token issuer or signature is invalid."
+        )
+        raise typer.Exit(1)
+
+    token_expires_in = token_data.get("expires_in", 3600)
+    expires_at = datetime.now(timezone.utc) + timedelta(seconds=token_expires_in)
+
+    config.access_token = access_token
+    config.refresh_token = token_data.get("refresh_token")
+    config.token_expires_at = expires_at.isoformat()
+    save_config(config)
+
+    console.print("\n[green]Login successful![/green]")
+    exp_str = expires_at.strftime("%Y-%m-%d %H:%M:%S UTC")
+    console.print(f"[dim]Token expires: {exp_str}[/dim]")
+
+    scopes = claims.get("scopes", token_data.get("scopes", []))
+    if scopes:
+        console.print(f"[dim]Scopes: {', '.join(scopes)}[/dim]")
+
+
+def _extract_error(response: httpx.Response) -> str:
+    """Extract error string from a token endpoint response."""
+    try:
+        data = response.json()
+        return data.get("error_description") or data.get("error", "")
+    except Exception:
+        return f"HTTP {response.status_code}"
+
+
+def check_status() -> None:
+    """Print current authentication status."""
+    from cli.config import is_token_valid
+
+    config = load_config()
+
+    console.print(f"[bold]API URL:[/bold] {config.api_url}")
+    console.print(f"[bold]Auth provider:[/bold] {config.auth_url}")
+    console.print(f"[bold]Client ID:[/bold] {config.client_id}")
+
+    if config.access_token:
+        if is_token_valid(config):
+            claims = validate_token(config.access_token)
+            if claims:
+                console.print(
+                    f"[green]Token valid[/green]"
+                    f" (issuer: {claims.get('iss', 'unknown')})"
+                )
+                scopes = claims.get("scopes", [])
+                if scopes:
+                    console.print(f"[dim]Scopes: {', '.join(scopes)}[/dim]")
+                sub = claims.get("sub")
+                if sub:
+                    console.print(f"[dim]Subject: {sub}[/dim]")
+        else:
+            console.print("[yellow]Token expired or invalid[/yellow]")
+
+        if config.refresh_token:
+            console.print("[dim]Refresh token: available[/dim]")
+        else:
+            console.print("[dim]Refresh token: not available[/dim]")
+    else:
+        console.print("[red]Not logged in[/red]")
+
+
+def do_logout() -> None:
+    """Clear stored authentication tokens."""
+    from cli.config import clear_token
+
+    config = load_config()
+    clear_token(config)
+    console.print("[green]Logged out[/green]")

blockmachine-0.1.0/commands/miner.py

@@ -0,0 +1,587 @@
+"""Miner commands: node registration, secrets, and pricing"""
+
+import getpass
+import time
+from typing import Optional
+
+import typer
+from rich.console import Console
+from rich.table import Table
+
+from cli.client import RegistryClient
+from cli import settings
+from cli.commands.auth import check_status, device_login, do_logout
+from cli.config import load_config, save_config
+from cli.utils import format_timestamp, resolve_node_id
+
+app = typer.Typer(help="Miner node management")
+secret_app = typer.Typer(help="Secret management")
+price_app = typer.Typer(help="Pricing management")
+
+app.add_typer(secret_app, name="secret")
+app.add_typer(price_app, name="price")
+
+console = Console()
+
+CHAIN = "tao"
+
+
+def _get_alias(alias: Optional[str]) -> str:
+    """Resolve alias from argument or active node context."""
+    if alias:
+        return alias
+    config = load_config()
+    if config.active_miner_node:
+        return config.active_miner_node
+    console.print(
+        "[red]No node specified and no active node set.[/red]\n"
+        "Run 'bm miner use <alias>' first."
+    )
+    raise typer.Exit(1)
+
+
+def _resolve_node(client: RegistryClient, id_or_alias: str) -> str:
+    """Resolve an alias or ID to a node UUID."""
+    response = client.get("/nodes")
+    if response.status_code != 200:
+        console.print(f"[red]Error:[/red] {response.status_code}")
+        raise typer.Exit(1)
+    node_id = resolve_node_id(response.json(), id_or_alias)
+    if not node_id:
+        console.print(f"[red]Node not found:[/red] {id_or_alias}")
+        raise typer.Exit(1)
+    return node_id
+
+
+# ── Auth ─────────────────────────────────────────────────────────
+
+
+@app.command("login")
+def login(
+    client_id: str = typer.Option(
+        settings.CLIENT_ID, "--client-id", help="OAuth client ID"
+    ),
+    auth_url: str = typer.Option(
+        settings.AUTH_URL, "--auth-url", help="TaoStats auth URL"
+    ),
+    api_url: str = typer.Option(None, "--api-url", "-u", help="Registry API URL"),
+    no_browser: bool = typer.Option(
+        False, "--no-browser", help="Don't auto-open browser"
+    ),
+) -> None:
+    """Login with miner scopes."""
+    device_login(
+        scopes=settings.MINER_SCOPES,
+        client_id=client_id,
+        auth_url=auth_url,
+        api_url=api_url,
+        no_browser=no_browser,
+    )
+
+
+@app.command("status")
+def status() -> None:
+    """Check authentication status."""
+    check_status()
+
+
+@app.command("logout")
+def logout() -> None:
+    """Clear stored authentication tokens."""
+    do_logout()
+
+
+# ── Node CRUD ────────────────────────────────────────────────────
+
+
+@app.command("add")
+def add(
+    endpoint: str = typer.Option(None, "--endpoint", "-e", help="WSS endpoint URL"),
+    alias: str = typer.Option(None, "--alias", "-a", help="Friendly name"),
+    secret: str = typer.Option(None, "--secret", "-s", help="Bearer token secret"),
+    price: str = typer.Option(None, "--price", "-p", help="USD per compute unit"),
+) -> None:
+    """Register a new miner node (interactive if flags omitted)."""
+    if not endpoint:
+        endpoint = typer.prompt("Endpoint (wss://...)")
+    if not alias:
+        default = _default_alias(endpoint)
+        alias = typer.prompt("Alias", default=default)
+    if not secret:
+        secret = getpass.getpass("Secret: ")
+    if not price:
+        price = typer.prompt("Price (USD/CU)")
+
+    if len(secret) < 16:
+        console.print("[red]Secret must be at least 16 characters[/red]")
+        raise typer.Exit(1)
+
+    config = load_config()
+    with RegistryClient(config) as client:
+        node_id = _create_node(client, endpoint, alias)
+        _set_node_secret(client, node_id, secret)
+        _set_node_price(client, node_id, price)
+
+    config.active_miner_node = alias
+    save_config(config)
+
+    console.print(f"\n[dim]Active node set to '{alias}'[/dim]")
+
+
+def _default_alias(endpoint: str) -> str:
+    """Derive a default alias from an endpoint URL."""
+    host = endpoint.replace("wss://", "").replace("ws://", "")
+    host = host.split(":")[0].split("/")[0]
+    return f"tao-{host.replace('.', '-')}"
+
+
+def _create_node(client: RegistryClient, endpoint: str, alias: str) -> str:
+    """Register a node and return its ID."""
+    response = client.post(
+        "/nodes",
+        json={"endpoint": endpoint, "chain": CHAIN, "alias": alias},
+    )
+    if response.status_code == 201:
+        data = response.json()
+        console.print(f"[green]Node registered:[/green] {data['id'][:8]}")
+        return data["id"]
+    if response.status_code == 401:
+        console.print("[red]Not authenticated.[/red] Run 'bm miner login' first.")
+        raise typer.Exit(1)
+    if response.status_code == 409:
+        detail = response.json().get("detail", "Alias already exists")
+        console.print(f"[red]Conflict:[/red] {detail}")
+        raise typer.Exit(1)
+    console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+    raise typer.Exit(1)
+
+
+def _set_node_secret(client: RegistryClient, node_id: str, secret: str) -> None:
+    """Set the secret on a node."""
+    response = client.post(
+        f"/nodes/{node_id}/secret",
+        json={"secret": secret, "rotate": False},
+    )
+    if response.status_code == 201:
+        console.print("[green]Secret set[/green]")
+        return
+    console.print(
+        f"[red]Failed to set secret:[/red] {response.status_code} - {response.text}"
+    )
+    raise typer.Exit(1)
+
+
+def _set_node_price(client: RegistryClient, node_id: str, price: str) -> None:
+    """Set the price on a node."""
+    epoch_length_sec = 300 * 12
+    epoch = int(time.time() / epoch_length_sec) + 1
+
+    response = client.post(
+        f"/nodes/{node_id}/price",
+        json={
+            "target_usd_per_cu": price,
+            "effective_from_epoch": epoch,
+        },
+    )
+    if response.status_code == 201:
+        data = response.json()
+        console.print(
+            f"[green]Price set:[/green]"
+            f" {data['target_usd_per_cu']} USD/CU"
+            f" (epoch {data['effective_from_epoch']})"
+        )
+        return
+    console.print(
+        f"[red]Failed to set price:[/red] {response.status_code} - {response.text}"
+    )
+    raise typer.Exit(1)
+
+
+@app.command("use")
+def use(
+    alias: str = typer.Argument(..., help="Node alias to set as active"),
+) -> None:
+    """Set the active miner node for subsequent commands."""
+    config = load_config()
+    config.active_miner_node = alias
+    save_config(config)
+    console.print(f"Active miner node: [bold]{alias}[/bold]")
+
+
+@app.command("ls")
+def ls() -> None:
+    """List all miner nodes."""
+    config = load_config()
+    with RegistryClient(config) as client:
+        response = client.get("/nodes")
+
+    if response.status_code == 401:
+        console.print("[red]Not authenticated.[/red] Run 'bm miner login' first.")
+        raise typer.Exit(1)
+    if response.status_code != 200:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+    nodes = response.json().get("nodes", [])
+    if not nodes:
+        console.print("[dim]No nodes registered[/dim]")
+        return
+
+    active = config.active_miner_node
+    table = Table(title="Miner Nodes")
+    table.add_column("", width=1)
+    table.add_column("Alias")
+    table.add_column("Chain")
+    table.add_column("Status")
+    table.add_column("Endpoint")
+    table.add_column("Last Seen")
+
+    for node in nodes:
+        status_color = {
+            "active": "green",
+            "pending": "yellow",
+            "unreachable": "red",
+            "suspended": "red",
+        }.get(node["status"], "white")
+        marker = "*" if node.get("alias") == active else ""
+
+        table.add_row(
+            marker,
+            node.get("alias") or node["id"][:8],
+            node["chain"],
+            f"[{status_color}]{node['status']}[/{status_color}]",
+            _truncate(node["endpoint"], 40),
+            format_timestamp(node.get("last_seen_at")),
+        )
+
+    console.print(table)
+
+
+def _truncate(text: str, length: int) -> str:
+    if len(text) <= length:
+        return text
+    return text[:length] + "..."
+
+
+@app.command("show")
+def show(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+) -> None:
+    """Show details of a miner node."""
+    alias = _get_alias(alias)
+    config = load_config()
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.get(f"/nodes/{node_id}")
+
+    if response.status_code == 404:
+        console.print(f"[red]Node not found:[/red] {alias}")
+        raise typer.Exit(1)
+    if response.status_code != 200:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+    node = response.json()
+    console.print(f"[bold]ID:[/bold] {node['id']}")
+    console.print(f"[bold]Alias:[/bold] {node.get('alias') or '-'}")
+    console.print(f"[bold]Chain:[/bold] {node['chain']}")
+    console.print(f"[bold]Status:[/bold] {node['status']}")
+    console.print(f"[bold]Endpoint:[/bold] {node['endpoint']}")
+    console.print(f"[bold]Created:[/bold] {format_timestamp(node['created_at'])}")
+    console.print(
+        f"[bold]Last Seen:[/bold] {format_timestamp(node.get('last_seen_at'))}"
+    )
+
+
+@app.command("rm")
+def rm(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+    force: bool = typer.Option(False, "--force", "-f", help="Skip confirmation"),
+) -> None:
+    """Remove a miner node."""
+    alias = _get_alias(alias)
+    config = load_config()
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+
+        if not force:
+            confirm = typer.confirm(f"Delete node {alias}?")
+            if not confirm:
+                console.print("[dim]Cancelled[/dim]")
+                return
+
+        response = client.delete(f"/nodes/{node_id}")
+
+    if response.status_code == 204:
+        console.print("[green]Node deleted[/green]")
+        if config.active_miner_node == alias:
+            config.active_miner_node = None
+            save_config(config)
+    elif response.status_code == 404:
+        console.print(f"[red]Node not found:[/red] {alias}")
+        raise typer.Exit(1)
+    else:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+
+@app.command("update")
+def update(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+    new_alias: str = typer.Option(None, "--alias", "-a", help="New alias"),
+    endpoint: str = typer.Option(None, "--endpoint", "-e", help="New endpoint"),
+) -> None:
+    """Update a node's alias or endpoint."""
+    alias = _get_alias(alias)
+
+    if not new_alias and not endpoint:
+        console.print(
+            "[yellow]Nothing to update. Specify --alias or --endpoint[/yellow]"
+        )
+        return
+
+    config = load_config()
+    update_data: dict = {}
+    if new_alias:
+        update_data["alias"] = new_alias
+    if endpoint:
+        update_data["endpoint"] = endpoint
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.patch(f"/nodes/{node_id}", json=update_data)
+
+    if response.status_code == 200:
+        console.print("[green]Node updated[/green]")
+        if new_alias and config.active_miner_node == alias:
+            config.active_miner_node = new_alias
+            save_config(config)
+    elif response.status_code == 409:
+        detail = response.json().get("detail", "Alias already exists")
+        console.print(f"[red]Conflict:[/red] {detail}")
+        raise typer.Exit(1)
+    else:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+
+# ── Secrets ──────────────────────────────────────────────────────
+
+
+@secret_app.command("set")
+def secret_set(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+    secret: str = typer.Option(
+        None,
+        "--secret",
+        "-s",
+        help="Secret value (will prompt if not provided)",
+    ),
+) -> None:
+    """Set the bearer token secret for a node."""
+    alias = _get_alias(alias)
+
+    if not secret:
+        secret = getpass.getpass("Enter secret: ")
+        confirm = getpass.getpass("Confirm secret: ")
+        if secret != confirm:
+            console.print("[red]Secrets do not match[/red]")
+            raise typer.Exit(1)
+
+    if len(secret) < 16:
+        console.print("[red]Secret must be at least 16 characters[/red]")
+        raise typer.Exit(1)
+
+    config = load_config()
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.post(
+            f"/nodes/{node_id}/secret",
+            json={"secret": secret, "rotate": False},
+        )
+
+    if response.status_code == 201:
+        data = response.json()
+        console.print("[green]Secret set[/green]")
+        console.print(f"[bold]Version:[/bold] {data['version']}")
+    else:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+
+@secret_app.command("show")
+def secret_show(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+) -> None:
+    """Show secret metadata (not the secret itself)."""
+    alias = _get_alias(alias)
+    config = load_config()
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.get(f"/nodes/{node_id}/secret")
+
+    if response.status_code != 200:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+    secrets = response.json().get("secrets", [])
+    if not secrets:
+        console.print("[dim]No secrets configured[/dim]")
+        return
+
+    table = Table(title="Secrets")
+    table.add_column("Version")
+    table.add_column("State")
+    table.add_column("Created")
+
+    for s in secrets:
+        color = {"active": "green", "next": "yellow", "retired": "dim"}.get(
+            s["state"], "white"
+        )
+        table.add_row(
+            str(s["version"]),
+            f"[{color}]{s['state']}[/{color}]",
+            format_timestamp(s["created_at"]),
+        )
+
+    console.print(table)
+
+
+@secret_app.command("promote")
+def secret_promote(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+) -> None:
+    """Promote the 'next' secret to 'active'."""
+    alias = _get_alias(alias)
+    config = load_config()
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.post(f"/nodes/{node_id}/secret/promote")
+
+    if response.status_code == 200:
+        data = response.json()
+        console.print("[green]Secret promoted[/green]")
+        console.print(f"[bold]Version:[/bold] {data['version']}")
+    else:
+        detail = response.json().get("detail", response.text)
+        console.print(f"[red]Error:[/red] {detail}")
+        raise typer.Exit(1)
+
+
+# ── Pricing ──────────────────────────────────────────────────────
+
+
+@price_app.command("set")
+def price_set(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+    price: str = typer.Option(..., "--price", "-p", help="Target USD per compute unit"),
+    epoch: int = typer.Option(
+        None,
+        "--epoch",
+        "-e",
+        help="Effective from epoch (default: next epoch)",
+    ),
+) -> None:
+    """Set a price for a node."""
+    alias = _get_alias(alias)
+
+    if epoch is None:
+        epoch_length_sec = 300 * 12
+        epoch = int(time.time() / epoch_length_sec) + 1
+
+    config = load_config()
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.post(
+            f"/nodes/{node_id}/price",
+            json={
+                "target_usd_per_cu": price,
+                "effective_from_epoch": epoch,
+            },
+        )
+
+    if response.status_code == 201:
+        data = response.json()
+        console.print(
+            f"[green]Price set:[/green]"
+            f" {data['target_usd_per_cu']} USD/CU"
+            f" (epoch {data['effective_from_epoch']})"
+        )
+    elif response.status_code == 400:
+        detail = response.json().get("detail", "Invalid request")
+        console.print(f"[red]Error:[/red] {detail}")
+        raise typer.Exit(1)
+    else:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+
+@price_app.command("show")
+def price_show(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+) -> None:
+    """Show the current price for a node."""
+    alias = _get_alias(alias)
+    config = load_config()
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.get(f"/nodes/{node_id}/price")
+
+    if response.status_code == 200:
+        data = response.json()
+        console.print(f"[bold]Price:[/bold] {data['target_usd_per_cu']} USD/CU")
+        console.print(
+            f"[bold]Effective from epoch:[/bold] {data['effective_from_epoch']}"
+        )
+        console.print(f"[bold]Set at:[/bold] {format_timestamp(data['created_at'])}")
+    elif response.status_code == 404:
+        detail = response.json().get("detail", "Not found")
+        if "No price" in detail:
+            console.print("[dim]No price set for this node[/dim]")
+        else:
+            console.print(f"[red]Node not found:[/red] {alias}")
+        raise typer.Exit(1)
+    else:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+
+@price_app.command("history")
+def price_history(
+    alias: str = typer.Argument(None, help="Node alias or ID"),
+) -> None:
+    """Show price history for a node."""
+    alias = _get_alias(alias)
+    config = load_config()
+
+    with RegistryClient(config) as client:
+        node_id = _resolve_node(client, alias)
+        response = client.get(f"/nodes/{node_id}/price/history")
+
+    if response.status_code != 200:
+        console.print(f"[red]Error:[/red] {response.status_code} - {response.text}")
+        raise typer.Exit(1)
+
+    prices = response.json().get("prices", [])
+    if not prices:
+        console.print("[dim]No price history[/dim]")
+        return
+
+    table = Table(title="Price History")
+    table.add_column("Epoch")
+    table.add_column("Price (USD/CU)")
+    table.add_column("Set At")
+
+    for p in prices:
+        table.add_row(
+            str(p["effective_from_epoch"]),
+            p["target_usd_per_cu"],
+            format_timestamp(p["created_at"]),
+        )
+
+    console.print(table)

blockmachine-0.1.0/config.py

@@ -0,0 +1,127 @@
+"""CLI configuration management — user state persisted to disk."""
+
+import json
+import logging
+import os
+from dataclasses import asdict, dataclass
+from pathlib import Path
+from typing import Optional
+
+import jwt
+
+from cli import settings
+
+logger = logging.getLogger(__name__)
+
+_jwks_client: jwt.PyJWKClient | None = None
+
+
+def _get_jwks_client() -> jwt.PyJWKClient:
+    global _jwks_client
+    if _jwks_client is None:
+        _jwks_client = jwt.PyJWKClient(settings.JWKS_URI)
+    return _jwks_client
+
+
+@dataclass
+class CLIConfig:
+    """User state stored in ~/.blockmachine/config.json"""
+
+    api_url: str = settings.API_URL
+    access_token: Optional[str] = None
+    refresh_token: Optional[str] = None
+    token_expires_at: Optional[str] = None
+    auth_url: str = settings.AUTH_URL
+    client_id: str = settings.CLIENT_ID
+    active_miner_node: Optional[str] = None
+
+
+def get_config_dir() -> Path:
+    return Path.home() / ".blockmachine"
+
+
+def get_config_path() -> Path:
+    return get_config_dir() / "config.json"
+
+
+def load_config() -> CLIConfig:
+    """Load user config from disk, falling back to settings defaults."""
+    config_path = get_config_path()
+
+    if not config_path.exists():
+        return CLIConfig()
+
+    try:
+        with open(config_path) as f:
+            data = json.load(f)
+            return CLIConfig(
+                api_url=data.get("api_url", settings.API_URL),
+                access_token=(data.get("access_token") or data.get("token")),
+                refresh_token=data.get("refresh_token"),
+                token_expires_at=data.get("token_expires_at"),
+                auth_url=data.get("auth_url", settings.AUTH_URL),
+                client_id=data.get("client_id", settings.CLIENT_ID),
+                active_miner_node=data.get("active_miner_node"),
+            )
+    except (json.JSONDecodeError, IOError):
+        return CLIConfig()
+
+
+def save_config(config: CLIConfig) -> None:
+    config_dir = get_config_dir()
+    config_dir.mkdir(parents=True, exist_ok=True)
+
+    config_path = get_config_path()
+    with open(config_path, "w") as f:
+        json.dump(asdict(config), f, indent=2)
+
+    os.chmod(config_path, 0o600)
+
+
+def _fetch_signing_key(token: str) -> jwt.PyJWK:
+    """Fetch the signing key, retrying with a fresh JWKS client on failure."""
+    global _jwks_client
+    try:
+        return _get_jwks_client().get_signing_key_from_jwt(token)
+    except jwt.PyJWKClientError:
+        logger.info("JWKS fetch failed, refreshing cached client")
+        _jwks_client = None
+        return _get_jwks_client().get_signing_key_from_jwt(token)
+
+
+def validate_token(token: str) -> dict | None:
+    """Validate a JWT against the JWKS and expected issuer."""
+    try:
+        signing_key = _fetch_signing_key(token)
+        return jwt.decode(
+            token,
+            signing_key.key,
+            algorithms=["RS256"],
+            issuer=settings.AUTH_URL,
+            audience=settings.AUDIENCE,
+            options={"require": ["exp", "iss", "sub"]},
+        )
+    except jwt.ExpiredSignatureError:
+        logger.debug("Token expired (JWT exp claim)")
+        return None
+    except jwt.InvalidIssuerError:
+        logger.warning("Token issuer mismatch")
+        return None
+    except jwt.PyJWTError as e:
+        logger.warning("JWT validation failed: %s", e)
+        return None
+
+
+def is_token_valid(config: CLIConfig) -> bool:
+    """Check if the stored token is valid via JWT signature + issuer."""
+    if not config.access_token:
+        return False
+    return validate_token(config.access_token) is not None
+
+
+def clear_token(config: CLIConfig) -> CLIConfig:
+    config.access_token = None
+    config.refresh_token = None
+    config.token_expires_at = None
+    save_config(config)
+    return config

blockmachine-0.1.0/main.py

@@ -0,0 +1,22 @@
+"""BlockMachine CLI main entrypoint"""
+
+import typer
+
+from cli.commands.miner import app as miner_app
+
+app = typer.Typer(
+    name="bm",
+    help="BlockMachine CLI",
+    no_args_is_help=True,
+)
+
+app.add_typer(miner_app, name="miner", help="Miner node management")
+
+
+def main() -> None:
+    """Main entry point"""
+    app()
+
+
+if __name__ == "__main__":
+    main()

blockmachine-0.1.0/pyproject.toml

@@ -0,0 +1,33 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "blockmachine"
+version = "0.1.0"
+description = "BlockMachine CLI - Miner operator interface"
+requires-python = ">=3.10"
+license = "MIT"
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Environment :: Console",
+    "Programming Language :: Python :: 3",
+]
+dependencies = [
+    "typer[all]>=0.9.0",
+    "rich>=13.7.0",
+    "httpx>=0.27.0",
+    "PyJWT>=2.9.0",
+    "cryptography>=44.0.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/taostat/blockmachine"
+
+[project.scripts]
+bm = "cli.main:main"
+blockmachine = "cli.main:main"
+
+[tool.setuptools]
+packages = ["cli", "cli.commands"]
+package-dir = {"cli" = ".", "cli.commands" = "commands"}

blockmachine-0.1.0/settings.py

@@ -0,0 +1,12 @@
+"""Application defaults with environment variable overrides."""
+
+import os
+
+AUTH_URL = os.environ.get("BM_AUTH_URL", "https://test-auth.taostats.io")
+API_URL = os.environ.get("BM_API_URL", "https://api.blockmachine.io")
+CLIENT_ID = os.environ.get("BM_CLIENT_ID", "07f5c729-5ca7-412a-b5e7-4966e132548e")
+AUDIENCE = "bittensor-apps"
+JWKS_URI = f"{AUTH_URL}/.well-known/jwks.json"
+
+MINER_SCOPES = ["subnet:19:miner"]
+VALIDATOR_SCOPES = ["subnet:19:validator"]

blockmachine-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

blockmachine-0.1.0/utils.py

@@ -0,0 +1,46 @@
+"""CLI utility functions"""
+
+import logging
+from typing import Optional
+
+logger = logging.getLogger(__name__)
+
+
+def resolve_node_id(db_response: dict, id_or_alias: str) -> Optional[str]:
+    """
+    Resolve a node ID or alias to a node ID.
+
+    Args:
+        db_response: Response from nodes list API
+        id_or_alias: Either a node UUID or an alias
+
+    Returns:
+        Node UUID string or None if not found
+    """
+    nodes = db_response.get("nodes", [])
+
+    # First try exact ID match
+    for node in nodes:
+        if str(node.get("id")) == id_or_alias:
+            return str(node["id"])
+
+    # Then try alias match
+    for node in nodes:
+        if node.get("alias") == id_or_alias:
+            return str(node["id"])
+
+    return None
+
+
+def format_timestamp(iso_string: Optional[str]) -> str:
+    """Format an ISO timestamp for display"""
+    if not iso_string:
+        return "N/A"
+
+    try:
+        from datetime import datetime
+
+        dt = datetime.fromisoformat(iso_string.replace("Z", "+00:00"))
+        return dt.strftime("%Y-%m-%d %H:%M:%S")
+    except (ValueError, AttributeError):
+        return iso_string